This Week In Security: Bluetooth Hacking, NEC Phones, And Malicious Tor Nodes
One of the fun things about vulnerability research is that there are so many places to hide bugs. Modern devices have multiple processors, bits of radio hardware and millions of lines of code. When [Veronica Kovah] Dark Mentor LLC decided to start researching the vulnerability of the Bluetooth Low Energy protocol, it chose to target the connection layer itself, rather than the code stack running as part of the main operating system. Interestingly, the connection layer must process data before authentication is performed, so if a vulnerability is found here, pre-authentication will be guaranteed. Also of interest, many different devices are likely to share the same BLE chipset, which means that these vulnerabilities will occur on many different devices. [Veronica] shares great information on how to get started, as well as details on the vulnerabilities she discovered, in the PDF of the document. (Just a quick note, this link is not to the raw PDF, but displays the GitHub PDF preview.) There is also video presentation of the findingsif it’s more your speed.
The first issue we will look at is CVE-2019-15948, which affects a handful of Texas Instruments BT / BLE chips. The problem is how BLE ad packages are processed. The ad package must always contain a data length of at least six bytes, which is reserved for the address of the sending device. Part of the process of analyzing packages is to subtract six from the length of the package and make a memcpy
using this value as length. The malicious packet can be less than six in length, and the result is that the integer of the copy length overflows, becomes a large value, and overwrites the current stack. To turn this into an exploit, a pair of data packets are sent repeatedly to place malicious code in the place to which the execution of the program will go.
The second note vulnerability, CVE-2020-15531, targets a Silicon Labs BLE chip and uses deformed extended ad packages to trigger a buffer overflow. In particular, the message sent is longer than it should be according to the specification. Instead of omitting this incorrect message, the chip’s firmware processes it, causing the buffer to overflow. Going a step further, this chip has a non-volatile firmware and it is possible to modify this firmware permanently. [Veronica] points out that even embedded chips like these must have some secure boot performance to prevent such types of constant attacks.
NEC telephone systems
This story was sent directly from [Austin Martinetti]who worked on this study with [Brett Bryant]. They looked at an interesting platform, NEC telephone systems. What did they find? Several issues, such as a hard-coded username / password and an HTTP endpoint that resets the default user passwords: PasswordReset.htm?PWD_RESET()
What can you do once you have access to the web interface? How about a hidden endpoint that downloads voice messages. For the impatient, there is even a quick and dirty script to automate the process of downloading the entire accumulation of voice messages. Here’s a really interesting developer account. Doing only a little manipulation of POST data in your web browser allows you to change the account to have a level of privilege over the administrator.
All of this is interesting, but we know better than exposing the web interface to an embedded device on the Internet at all. As long as it is inaccessible to the outside world, we should not worry about these mistakes. Right? It seems that when NEC built its voicemail add-on, it built in a slippery little hidden feature. Read also : Elon Musk Offers $100 Million Carbon Capture Prize – Bloomberg. The 740 extension offers an old-school dial-up modem. All valid credentials from the web interface can connect and access the system, including some undocumented services.
These vulnerabilities were discovered privately and an updated firmware is available (PDF). If you happen to have NEC phones sitting on your desk, it might be worth trying to apply the firmware updates. And for God’s sake, don’t put the ports on your phone system on the Internet!
Tor Output Nodes
Tor is a boon to anonymity on the Internet, but have you ever looked closely at the potential drawbacks? Tor is a smart network that uses encryption layers to strongly anonymize traffic by sending it through multiple relays and finally accessing the regular Internet via an output node. This output node is the weak point of the Tor network in many ways. Read also : So much for San Diego streamlined granny flats. Due to the sometimes malicious or illegal traffic sent through Tor, the output nodes are often directed by law enforcement or network operators. These nodes are a weak point for another reason – the output node can inspect and potentially modify all traffic that passes through it.
This should not be a problem as we have TLS to protect against MitM attacks. There is an intelligent attack that can bypass the protection of TLS, the removal of SSL, in particular introduced by [Moxie Marlinspike] in 2009. The idea is simple: when a user tries to access a website using HTTP and the site returns a redirect to an HTTPS connection. The attacker intercepts this redirection and proxies the HTTPS connection, leaving the user on an unencrypted connection. This attack is of limited utility, as web browsers will remember constant redirection, so it is considered best practice to use 301 Moved Permanently redirection to impose HTTPS connections.
However, how many of Tor’s current output nodes do you consider malicious? According to [nusenu], at a given moment almost 25% of Tor output node connections use malicious output nodes. This is not an easy problem to solve, as most of the output nodes are run by volunteers. When these malicious nodes are found, many of them are removed at once, but it is relatively easy to confuse names and IP addresses and return these nodes back to the network. It is estimated that you currently have a 10% chance of using a malicious output node when using Tor. This is a known problem and is being worked on slowly, but at the moment the Tor project does not have the resources to deal with the problem really seriously. If you are going to use Tor to access external sites, be sure to check specifically if your connection is a valid HTTPS connection.
History of the red team
Some of the best stories in infosec come from the red teams that do penetration tests. This week, [Federico Lago] shares some stories and tips from a recent successful pentest. The best advice when recording is to try to scan ports while specifying the source port as a frequently used port. Apparently, many firewalls are misconfigured to allow inbound traffic from these ports when the intention was to allow outbound traffic.
The second tip is that Simple Network Management Protocol (SNMP) can be extremely powerful for leaking information about a system. This is not a TCP service, so it’s easy to miss, but it’s worth the effort. There is a lot of potential information that needs to be obtained, including a list of processes and their arguments on the command line. Read also : Ondas Holdings Inc. Announces Reverse Stock Split of Common Stock. In this case, a valid combination of username and password was found for a previously discovered instance of Jenkins. Jenkins can be configured with an activated “script console” and it is possible to abuse this to get a back shell and access to bash.
Part 2 the story goes on, detailing how they used an available boot command using sudo to get a root shell, and then used the same SNMP trick to access the company’s databases. The whole thing is a good read, so go check it out.
Bits and bytes
Ars told us about FritzFrog, a new Linux botnet client that is distributed through a bad SSH password policy. The Guardicore technical report, there are juicy details and indicators of compromise. You may want to check your servers for an added ssh authorized key, binaries running from non-existent locations, and a listening socket on port 1234.
On Gmail DMARC / SPF protections can be short-circuited by using the Gmail inbound gateway setting, along with the global mail routing setting in the G Suite administrative console. In essence, the incoming gateway disables SPF and DMARC checking for mail coming from the specified IP address. Forwarding it through Google’s mail service means that the messages are signed by Google, so it then passes these checks. Although there were some complications, the error has already been fixed.
Kali Linux, formerly Backtrack, has cut their version 2020.3. The most remarkable thing is the addition of a new set of Bluetooth tools. There is also the new “Win-KeX”, a permanent graphical interface for starting Kali in the Windows subsystem for Linux.
Comments are closed.